Industrial Security:  CIFS (Common Internet File System)

Written by Amandeep Yashpal, Product Specialist – Cyber Security & Networks – UAE

The Common Internet File System (CIFS) is the standard way that computer users share files across corporate intranets and the Internet.  An enhanced version of the Microsoft open, cross-platform Server Message Block (SMB) protocol, CIFS is a native file-sharing protocol in Windows 2000.

In operational environment, the life of an appliance is three to four years and it is easy to replace this appliance with a new appliance laced with advance technology. However, in an industrial environment, the life of a digital asset is 15 to 20 years and it’s a challenging job to always make any change in the critical environment.

In manifold industries, computer with window XP and older operating systems are in operation while Microsoft ended support for Window XP on April 8, 2014. Afterwards, Microsoft did not provide any security patch and other kind of support for the Window XP operating system.  Systems with an old operating system without updates  are more vulnerable to attacks and hence increase the attack surface.

To overcome this problem, secure the vulnerable system and protect  it from any malicious attack, Phoenix Contact came up with mGuard CIFS Integrity Monitoring Solution, which is in demand for protecting the systems having old operating systems in an industrial environment.

With mGuard CIFS Integrity Monitoring, Phoenix Contact offers an award-winning, industry suitable solution to protect Windows-based automation components against malware infestation. To achieve this, mGuard Integrity Monitoring supervises file systems against unexpected modifications or additions to programs, dynamic link libraries, and other executable code without utilizing virus patterns – thus eliminating the need for their permanent update. This innovation can even detect damages from zero day exploits for which virus patterns don’t even exist yet.

Benefit of CIFS

• Secure | reliable identification of malware modifications
• Independent | no need for anti-virus pattern updates
• Slim | reduced impacts on your system and real-time performance

CIFS Integrity Monitoring(CIM) – virus protection suitable for industrial applications

CIFS Integrity Monitoring (CIM) is an antivirus sensor from Phoenix Contact which is suitable for industrial applications. CIM is able to detect whether Windows-based systems such as controllers, operator interfaces or PCs have been manipulated, e.g., by malware, without the need to load virus patterns.

Where is CIM used?

CIM is predominantly used to protect non-patchable systems. Non-patchable systems are largely Window-based systems with one or more of the following properties:

• The system has an outdated operating system for which Microsoft no longer provides security patches.
• Systems which may no longer be modified because the delivery state has been certified by the manufacturer or a competent authority. In the event of software modification, e.g., as a result of an operating system update, the warranty would be voided or certification from the relevant authority would cease.
• Systems which may not be equipped with a virus scanner due to time-critical applications, e.g., in order to maintain real-time capability. Or those that are unable to update virus patterns because there is no Internet connection, for example.
• Systems which are intentionally not equipped with virus scanners or IDS/IPS (intrusion detection systems/intrusion prevention systems) because the entire application would be stopped even in the event of a false alarm.
• Systems whose users do not have the necessary expertise to install virus scanners or IDS/IPS without adversely affecting the system.

Non-patchable systems are used in various sectors of industry: e.g., for analysis systems in the chemical and pharmaceutical industry, for airbag manufacture in the automotive industry, as well as production with PC-based controllers.

How CIM works

CIFS Integrity Monitoring (CIM)

CIM regularly checks Windows systems against a reference status to determine whether certain files (e.g., .exe or .dll) have been changed.

If a file system to be checked is reconfigured or modified, a reference or integrity database must be created. This database contains the checksums of all files to be checked and is used as a basis for comparison (reference). It is either created on the first check or explicitly due to a specific reason.

If the checksum of a file has changed, this means that the file has been modified. If the user did not perform this change, it may have been modified by malware. The deletion or addition of a file is also detected. When a checksum change is detected, CIM generates an alarm either via e-mail or SNMP trap. The integrity database itself is protected against manipulation.

The CIFS antivirus scan connector enables external virus scanners to perform a virus scan on system drives protected by the MGUARD that are otherwise not externally accessible, e.g. industrial PCs in production cells. All network drives are combined by the FL MGUARD and mirrored to the outside as a single drive. This virtual drive can now be checked by an external virus scanner without the virus scanner having to access the real system.

Firewall and CIM comparison

Advantages of CIM

CIM offers many advantages for demanding industrial applications:

• Conserves the resources of the monitored system, e.g., CPU power or network load.
• Virus patterns do not have to be loaded.
• No false alarms during the integrity check.
• False alarms from the external virus scanner do not affect the monitored system as the external virus scanner cannot delete files or block their use.
• CIM monitors systems dynamically.
• CIM supplements security activities with virus scanning in closed systems and protects files against manipulation.

To learn more about FL MGUARD security routers from Phoenix Contact, please click here.